Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
There are 58 visitors online    

Pete Finnigan's Oracle security weblog


Home » Archives » January 2005 » Critical patch update - January 2005 is out

[Previous entry: "The first Oracle security alert for Jan 18th - First quarterly scheduled security patch"] [Next entry: "Security alert released by Pete Finnigan"]

Critical patch update - January 2005 is out

January 18th, 2005 by Pete

Post to del.icio.us   Post to Furl   Digg!

I have just noticed that Oracle have released their advisory for the first quarterly security patch update. This is the first of the scheduled patches announced last year and talked about here and on news sites around the world.

Oracle's advisory titled "Critical patch update - January 2005" is also a change from the previous naming convention with alert 68 being the last of the original naming convention.

The advisory is a comprehensive document and contains much better information than previous advisories from Oracle. The patch also contains all the fixes included in alert #68. It also contains some non security fixes that are necessary because of interdependencies.

The key addition in this advisory over previous advisories is the new risk matrix that details each bug to some degree and also the risk. Each bug is numbered and the component identified such as Database core, networking, package name etc. Then the access required is listed. Then the privileges necessary for the bug to be exploited, then the risk matrix for confidentiality, integrity and availability. Finally earliest and latest versions are listed as well as whether a workaround is possible.

This is excellent, well done to Mary Ann Davidson and her team for doing this and improving the information available with the security advisory as compared to previous advisories. I hope that in particular the risk matrix will really help customers make decisions about applying the patches quickly and confidently. Also well done for supporting some of the older releases where it’s relevant. Excellent!

I also see that there are patches for older versions and even de-supported versions which are supported for particular products only. Again a big move forwards.

Links for each patch set are included in the alert. The alert also credits the researchers who have brought bugs to the attention of Oracle. This included Pete Finnigan (me), Alex Kornbrust, Stephen Kost and David Litchfield.

I will release an advisory later this evening now that Oracles advisory is out.

January 2005
SMTWTFS
      1
2345678
9101112131415
16171819202122
23242526272829
3031     

About

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Search weblog

Home and Archives

Weblog Home
Weblog Archives

Recommended reading

Oracle Security Step-by-Step (Version 2.0)

Useful links

Home
Oracle Security Tools page
Oracle security papers
Oracle Security alerts

Other useful blogs

Web Development
SQL Server Security

Syndication - Feeds

RSS 1.0 FEED
RSS 2.0 FEED
Atom 0.3 FEED
Powered by gm-rss 2.0.0

Other Links




View Pete Finnigan's profile on LinkedIn

Pete Finnigan

Create Your Badge



Valid XHTML 1.0!